redline | 9255b7a154698669aa8d751692d350651653054f0190f4963e8c28edb37afcc5

General

Target

156845b1bf7447d5131a1392b2809f27.exe
Size

528KB
MD5

156845b1bf7447d5131a1392b2809f27
SHA1

a525aa16b7fe1dc7a568f509861fce60f957f525
SHA256

9255b7a154698669aa8d751692d350651653054f0190f4963e8c28edb37afcc5
SHA512

ff68feb16255008591ffc2d2487639e217f1d95fa35fafdc43c314d3a0746a6375eaf52ee1ceb486957cd63d261442c9d9df7e23d1e0a9d2c8e83d0b78ff3096
SSDEEP

12288:OMrVy90DAo5EyqQ7svdj8POHb9KSTOocNk:HyA5EdQ7kiPsdcNk

Score

10^/10

redline dubka discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dubka

C2

193.233.20.13:4136

Attributes

auth_value
e5a9421183a033f283b2f23139b471f0

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sYC88.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	sYC88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sYC88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	sYC88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sYC88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	sYC88.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3412	vXp80.exe
1804	dQx82.exe
208	nCc88rL.exe
4488	sYC88.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	sYC88.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vXp80.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	156845b1bf7447d5131a1392b2809f27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	156845b1bf7447d5131a1392b2809f27.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vXp80.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4892	1804	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1804	dQx82.exe
1804	dQx82.exe
208	nCc88rL.exe
208	nCc88rL.exe
4488	sYC88.exe
4488	sYC88.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	dQx82.exe
Token: SeDebugPrivilege	208	nCc88rL.exe
Token: SeDebugPrivilege	4488	sYC88.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 3412	1952	156845b1bf7447d5131a1392b2809f27.exe	83
PID 1952 wrote to memory of 3412	1952	156845b1bf7447d5131a1392b2809f27.exe	83
PID 1952 wrote to memory of 3412	1952	156845b1bf7447d5131a1392b2809f27.exe	83
PID 3412 wrote to memory of 1804	3412	vXp80.exe	84
PID 3412 wrote to memory of 1804	3412	vXp80.exe	84
PID 3412 wrote to memory of 1804	3412	vXp80.exe	84
PID 3412 wrote to memory of 208	3412	vXp80.exe	87
PID 3412 wrote to memory of 208	3412	vXp80.exe	87
PID 3412 wrote to memory of 208	3412	vXp80.exe	87
PID 1952 wrote to memory of 4488	1952	156845b1bf7447d5131a1392b2809f27.exe	88
PID 1952 wrote to memory of 4488	1952	156845b1bf7447d5131a1392b2809f27.exe	88

C:\Users\Admin\AppData\Local\Temp\156845b1bf7447d5131a1392b2809f27.exe
"C:\Users\Admin\AppData\Local\Temp\156845b1bf7447d5131a1392b2809f27.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vXp80.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vXp80.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dQx82.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dQx82.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 1780
      4⤵
      Program crash
      PID:4892
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nCc88rL.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nCc88rL.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:208
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sYC88.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sYC88.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1804 -ip 1804
1⤵
PID:2968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sYC88.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sYC88.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vXp80.exe

Filesize
424KB

MD5
da907eb8a286ac0efcfbffdc26a0fe11

SHA1
18954e048e815a83103d5ce0fcae5eb8f28188fa

SHA256
427c00e6d41644be91ea2c4a8e2694bf8b2ee1758d0225725a576f89da9fef09

SHA512
17ee65852ce2cb9a0b89e3869f4925f0d2095f0ac794c66c6421bb08abf2b191e9e4699d0d6e1d0bd70d140737e81877b49125fb88c2595d95bb7b9fb649b311

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vXp80.exe

Filesize
424KB

MD5
da907eb8a286ac0efcfbffdc26a0fe11

SHA1
18954e048e815a83103d5ce0fcae5eb8f28188fa

SHA256
427c00e6d41644be91ea2c4a8e2694bf8b2ee1758d0225725a576f89da9fef09

SHA512
17ee65852ce2cb9a0b89e3869f4925f0d2095f0ac794c66c6421bb08abf2b191e9e4699d0d6e1d0bd70d140737e81877b49125fb88c2595d95bb7b9fb649b311

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dQx82.exe

Filesize
278KB

MD5
6e88575e5a8289855c38133d70e4466d

SHA1
f4dba78bb2db07d4964846d2707136ea7078566a

SHA256
5dddea590a2fa5de71f11a70e98cec2735f106ebe59d84c79f465c2744b89556

SHA512
a4712145bbf4d16d75ed65754c80397f08195917b65ab7f86d8fbb1d9820f7f0c45644045001def0708192387144640850d49aed40cc7a976c1e07b1c622f03c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dQx82.exe

Filesize
278KB

MD5
6e88575e5a8289855c38133d70e4466d

SHA1
f4dba78bb2db07d4964846d2707136ea7078566a

SHA256
5dddea590a2fa5de71f11a70e98cec2735f106ebe59d84c79f465c2744b89556

SHA512
a4712145bbf4d16d75ed65754c80397f08195917b65ab7f86d8fbb1d9820f7f0c45644045001def0708192387144640850d49aed40cc7a976c1e07b1c622f03c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nCc88rL.exe

Filesize
175KB

MD5
dd0c9e110c68ce1fa5308979ef718f7b

SHA1
473deb8069f0841d47b74b7f414dacc6f96eca78

SHA256
dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

SHA512
29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nCc88rL.exe

Filesize
175KB

MD5
dd0c9e110c68ce1fa5308979ef718f7b

SHA1
473deb8069f0841d47b74b7f414dacc6f96eca78

SHA256
dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

SHA512
29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

Download Submit
memory/208-158-0x0000000000EA0000-0x0000000000ED2000-memory.dmp

Filesize
200KB

Download
memory/1804-139-0x0000000004D60000-0x0000000005304000-memory.dmp

Filesize
5.6MB

Download
memory/1804-153-0x00000000008A2000-0x00000000008D1000-memory.dmp

Filesize
188KB

Download
memory/1804-144-0x0000000005C80000-0x0000000005C92000-memory.dmp

Filesize
72KB

Download
memory/1804-145-0x0000000005CE0000-0x0000000005D1C000-memory.dmp

Filesize
240KB

Download
memory/1804-146-0x0000000005F90000-0x0000000006022000-memory.dmp

Filesize
584KB

Download
memory/1804-147-0x0000000006030000-0x0000000006096000-memory.dmp

Filesize
408KB

Download
memory/1804-148-0x00000000008A2000-0x00000000008D1000-memory.dmp

Filesize
188KB

Download
memory/1804-149-0x0000000006830000-0x00000000068A6000-memory.dmp

Filesize
472KB

Download
memory/1804-150-0x00000000068C0000-0x0000000006910000-memory.dmp

Filesize
320KB

Download
memory/1804-151-0x0000000006940000-0x0000000006B02000-memory.dmp

Filesize
1.8MB

Download
memory/1804-152-0x0000000006B20000-0x000000000704C000-memory.dmp

Filesize
5.2MB

Download
memory/1804-143-0x0000000005B40000-0x0000000005C4A000-memory.dmp

Filesize
1.0MB

Download
memory/1804-154-0x0000000000400000-0x0000000000763000-memory.dmp

Filesize
3.4MB

Download
memory/1804-142-0x00000000054A0000-0x0000000005AB8000-memory.dmp

Filesize
6.1MB

Download
memory/1804-138-0x00000000008A2000-0x00000000008D1000-memory.dmp

Filesize
188KB

Download
memory/1804-141-0x0000000000400000-0x0000000000763000-memory.dmp

Filesize
3.4MB

Download
memory/1804-140-0x0000000000800000-0x000000000084B000-memory.dmp

Filesize
300KB

Download
memory/4488-162-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/4488-163-0x00007FF98F5A0000-0x00007FF990061000-memory.dmp

Filesize
10.8MB

Download
memory/4488-164-0x00007FF98F5A0000-0x00007FF990061000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads